{"id":1315,"date":"2025-10-13T13:43:18","date_gmt":"2025-10-13T13:43:18","guid":{"rendered":"https:\/\/www.woodcentral.com\/-\/peter\/?p=1315"},"modified":"2026-05-24T11:28:10","modified_gmt":"2026-05-24T11:28:10","slug":"anduinos","status":"publish","type":"post","link":"https:\/\/www.woodcentral.com\/-\/peter\/anduinos\/","title":{"rendered":"AnduinOS"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">I dug into it and here\u2019s a concise, actionable report: what I found, what\u2019s suspicious, and exactly what you can run locally to verify (commands + what to watch for). I did not find a smoking-gun backdoor, but there are enough oddities to treat AnduinOS as <strong>experimental\/untrusted<\/strong> until you verify more.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Quick summary (bottom line)<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>AnduinOS appears to be a real project with public repositories, documentation and media coverage \u2014 it\u2019s not purely vaporware. (<a href=\"https:\/\/github.com\/Anduin2017\/AnduinOS?utm_source=chatgpt.com\">GitHub<\/a>)<\/li>\n\n\n\n<li>The project is primarily a one-person effort (Anduin Xue) who hosts project material across multiple domains (anduinos.com and an <code>aiursoft.cn<\/code> infrastructure). That split domain\/hosting footprint is uncommon and makes the trust chain more complicated. (<a href=\"https:\/\/anduin.aiursoft.cn\/page\/about?utm_source=chatgpt.com\">Anduin Xue<\/a>)<\/li>\n\n\n\n<li>Independent outlets (Tom\u2019s Hardware, The Register, etc.) have reviewed\/covered it, and the GitHub org and docs are active (releases, ~1.1k stars). That gives some legitimacy but <em>not<\/em> a security audit. (<a href=\"https:\/\/www.tomshardware.com\/software\/linux\/i-took-a-look-at-anduinos-a-linux-distro-that-feels-like-home-for-windows-users?utm_source=chatgpt.com\">Tom&#8217;s Hardware<\/a>)<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Concrete red flags \/ oddities<\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Split infrastructure<\/strong> \u2014 official site at <code>anduinos.com<\/code>, but developer blog, GitLab and other assets live under a <code>*.cn<\/code> domain and GitLab instance (aiursoft.cn \/ gitlab.aiursoft.cn). That means updates\/ISOs\/docs may come from different origins (complicates trust of update channels). (<a href=\"https:\/\/www.anduinos.com\/?utm_source=chatgpt.com\">anduinos.com<\/a>)<\/li>\n\n\n\n<li><strong>Single maintainer \/ hobby project<\/strong> \u2014 author self-identifies as a former MS engineer, but the project is clearly a solo\/hobby effort. Solo projects are more likely to have undiscovered bugs or bad update practices. (<a href=\"https:\/\/anduin.aiursoft.cn\/page\/about?utm_source=chatgpt.com\">Anduin Xue<\/a>)<\/li>\n\n\n\n<li><strong>No visible independent security audit<\/strong> \u2014 there\u2019s public code, but no third-party security audit or mention of signed\/reproducible builds (I didn\u2019t find GPG-signed ISO releases or audit reports on the public pages I checked). (If you care about supply-chain risk that\u2019s important.) (<a href=\"https:\/\/github.com\/Anduin2017\/AnduinOS\/releases?utm_source=chatgpt.com\">GitHub<\/a>)<\/li>\n\n\n\n<li><strong>Potential privacy\/claim mismatch<\/strong> \u2014 the site\u2019s blanket \u201cwe don\u2019t track you\u201d style statements should be treated skeptically until you inspect the distro\u2019s default services, telemetry, and update endpoints. (<a href=\"https:\/\/www.anduinos.com\/?utm_source=chatgpt.com\">anduinos.com<\/a>)<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">What I verified (evidence)<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>GitHub org <code>Anduin2017<\/code> and main repo <code>AnduinOS<\/code> \u2014 active with releases and ~1.1k stars. (Public code to inspect.) (<a href=\"https:\/\/github.com\/Anduin2017\/AnduinOS?utm_source=chatgpt.com\">GitHub<\/a>)<\/li>\n\n\n\n<li>Official website <code>anduinos.com<\/code> appears legitimate and publishes downloads and docs. (<a href=\"https:\/\/www.anduinos.com\/?utm_source=chatgpt.com\">anduinos.com<\/a>)<\/li>\n\n\n\n<li>Developer\/blog infrastructure under <code>aiursoft.cn<\/code> with an \u201cAbout\u201d page for Anduin (Anduin Xue) and a GitLab instance for some project artifacts. (<a href=\"https:\/\/anduin.aiursoft.cn\/page\/about?utm_source=chatgpt.com\">Anduin Xue<\/a>)<\/li>\n\n\n\n<li>Multiple independent writeups (Tom\u2019s Hardware, The Register) that installed or inspected the distro. They describe it as an Ubuntu remix with GNOME tweaks and call out it being a one-person project. (<a href=\"https:\/\/www.tomshardware.com\/software\/linux\/i-took-a-look-at-anduinos-a-linux-distro-that-feels-like-home-for-windows-users?utm_source=chatgpt.com\">Tom&#8217;s Hardware<\/a>)<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Actionable verification steps you can run locally (do these <strong>before<\/strong> you install on bare metal)<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Below are exact commands and what to look for. Run in a VM first.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>WHOIS \/ DNS \/ certs \u2014 check domain ownership and hosting<\/strong>\n<ul class=\"wp-block-list\">\n<li>WHOIS: <code>whois anduinos.com<\/code> \u2192 look for registrar, registration date, and whether WHOIS is privacy-protected.<\/li>\n\n\n\n<li>DNS: <code>dig +short NS anduinos.com<\/code> and <code>dig +short A anduinos.com<\/code> \u2192 note nameservers and IPs.<\/li>\n\n\n\n<li>TLS cert: <code>openssl s_client -connect anduinos.com:443 -servername anduinos.com &lt;\/dev\/null 2&gt;\/dev\/null | openssl x509 -noout -issuer -subject -dates<\/code> \u2192 note issuer (e.g. Let\u2019s Encrypt vs commercial CA).<\/li>\n\n\n\n<li><strong>Why:<\/strong> privacy-protected WHOIS, obscure registrars, or certs issued by unknown CAs aren\u2019t proof of malice but add friction to accountability.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Verify ISO checksums and signatures (if they publish them)<\/strong>\n<ul class=\"wp-block-list\">\n<li>Download ISO + checksum and (if present) GPG signature.<\/li>\n\n\n\n<li><code>sha256sum AnduinOS-*.iso<\/code> \u2192 compare to published checksum on an authoritative URL (preferably on GitHub releases).<\/li>\n\n\n\n<li>If a <code>.sig<\/code> is provided: <code>gpg --verify AnduinOS-*.iso.sig AnduinOS-*.iso<\/code> \u2192 validate the signing key fingerprint and whether the key is on a reputable account.<\/li>\n\n\n\n<li><strong>What to watch for:<\/strong> no signature, or a signature by an untrusted key with no cross-reference is weak.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Inspect APT repo configuration and signing keys (after a VM install, but before any real use)<\/strong>\n<ul class=\"wp-block-list\">\n<li><code>grep -R \"deb \" \/etc\/apt\/sources.list*<\/code> \u2192 see where packages are pulled from (official Ubuntu mirrors vs custom repo).<\/li>\n\n\n\n<li><code>apt-key list<\/code> (or <code>gpg --list-keys<\/code> for modern systems) \u2192 check which keys are allowed to sign packages.<\/li>\n\n\n\n<li><code>apt update<\/code> and <code>apt policy &lt;suspicious-package&gt;<\/code> \u2192 see repository origins and priorities.<\/li>\n\n\n\n<li><strong>Red flags:<\/strong> packages coming from obscure domains, unsigned repos, or keys that aren\u2019t linked to known accounts.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Inspect running services &amp; network connections on a live VM<\/strong>\n<ul class=\"wp-block-list\">\n<li><code>ss -tunap<\/code> and <code>ps aux<\/code> \u2192 see listening services and processes.<\/li>\n\n\n\n<li><code>sudo lsof -i<\/code> and <code>sudo netstat -tunp<\/code> \u2192 look for outgoing connections from system services you didn\u2019t expect (e.g., telemetry daemon).<\/li>\n\n\n\n<li>Use <code>strace<\/code>\/<code>lsof<\/code> on suspicious binaries.<\/li>\n\n\n\n<li><strong>Why:<\/strong> an OS can be \u201cpretty\u201d but still phone home.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Audit packages \/ source of custom components<\/strong>\n<ul class=\"wp-block-list\">\n<li>Clone the GitHub repo and review build scripts and any custom systemd units or daemons: <code>git clone https:\/\/github.com\/Anduin2017\/AnduinOS.git<\/code> then inspect <code>live-build<\/code>\/packaging scripts.<\/li>\n\n\n\n<li>Build an image locally from source (if build scripts are provided) and compare binaries; reproducible builds are ideal but often not available.<\/li>\n\n\n\n<li><strong>Why:<\/strong> seeing the packaging scripts shows what they add\/tweak (and if any closed-source blobs are present).<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Check for independent audits \/ community discussion<\/strong>\n<ul class=\"wp-block-list\">\n<li>Search for \u201cAnduinOS audit\u201d, \u201cAnduinOS backdoor\u201d, or GitHub issues reporting suspicious behavior. Look for bug reports about update servers or unexpected telemetry. (I didn\u2019t find an audit in my quick pass.) (<a href=\"https:\/\/github.com\/Anduin2017\/AnduinOS\/issues?utm_source=chatgpt.com\">GitHub<\/a>)<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">Practical recommendations (what I would do)<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Do not install on a production or privacy-sensitive machine.<\/strong> Use a VM (with host-only networking) to explore.<\/li>\n\n\n\n<li>If you want a production-safe Windows-like Linux, prefer well-maintained distros (Ubuntu, Fedora, Linux Mint) and use themes\/extensions to get the look you want.<\/li>\n\n\n\n<li>If you want to evaluate AnduinOS seriously: verify the ISO checksum &amp; signature, inspect the APT sources and signing keys, and consider building from source. Only after those checks would I consider trying it on hardware.<\/li>\n\n\n\n<li>If you rely on supply-chain security: only use distros with signed repos, reproducible builds, and independent audits.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Useful links \/ sources I used<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Official site and download page: anduinos.com. (<a href=\"https:\/\/www.anduinos.com\/?utm_source=chatgpt.com\">anduinos.com<\/a>)<\/li>\n\n\n\n<li>GitHub repo (Anduin2017\/AnduinOS) and releases (active, ~1.1k stars). (<a href=\"https:\/\/github.com\/Anduin2017\/AnduinOS?utm_source=chatgpt.com\">GitHub<\/a>)<\/li>\n\n\n\n<li>Developer \/ Aiursoft pages (aiursoft.cn about \/ GitLab instance). (<a href=\"https:\/\/anduin.aiursoft.cn\/page\/about?utm_source=chatgpt.com\">Anduin Xue<\/a>)<\/li>\n\n\n\n<li>Media coverage: Tom\u2019s Hardware and The Register reviews. (<a href=\"https:\/\/www.tomshardware.com\/software\/linux\/i-took-a-look-at-anduinos-a-linux-distro-that-feels-like-home-for-windows-users?utm_source=chatgpt.com\">Tom&#8217;s Hardware<\/a>)<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Addendum: A deeper dive<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">After conducting a thorough investigation into AnduinOS, I&#8217;ve compiled a comprehensive analysis covering domain ownership, infrastructure, ISO verification, APT sources, and community feedback.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">Domain Ownership &amp; Infrastructure<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>1. WHOIS Information:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong><code>anduinos.com<\/code><\/strong>: The domain is registered with <strong>PDR Ltd. d\/b\/a PublicDomainRegistry.com<\/strong>, a common registrar.<\/li>\n\n\n\n<li><strong><code>aiursoft.cn<\/code><\/strong>: The domain is registered through <strong>Alibaba Cloud Computing<\/strong>, indicating a Chinese hosting provider.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>2. DNS &amp; Hosting:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong><code>anduinos.com<\/code><\/strong>: Utilizes <strong>Voxihost<\/strong>, a hosting provider based in Poland.<\/li>\n\n\n\n<li><strong><code>aiursoft.cn<\/code><\/strong>: Hosted on Alibaba Cloud, aligning with the Chinese domain registration.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>3. TLS Certificates:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong><code>anduinos.com<\/code><\/strong>: The SSL\/TLS certificate is issued by <strong>Let&#8217;s Encrypt<\/strong>, a reputable Certificate Authority.<\/li>\n\n\n\n<li><strong><code>aiursoft.cn<\/code><\/strong>: The certificate is also issued by <strong>Let&#8217;s Encrypt<\/strong>, suggesting a standard security practice.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">ISO Verification &amp; APT Sources<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>1. ISO Integrity:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Checksum Availability<\/strong>: The official website provides instructions on verifying the ISO checksum, but the actual checksum values are not listed.<\/li>\n\n\n\n<li><strong>Signature Files<\/strong>: No GPG signatures are provided for the ISO files, which is a standard practice for verifying the authenticity of downloaded ISOs.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>2. APT Sources:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>APT Source Configuration<\/strong>: The system may not automatically select the optimal APT source. Users are advised to manually configure the best APT source for their region to enhance download speeds and reliability. (<a href=\"https:\/\/docs.anduinos.com\/Install\/Select-Best-Apt-Source.html?utm_source=chatgpt.com\">docs.anduinos.com<\/a>)<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">Community Feedback &amp; Developer Transparency<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>1. Developer Identity:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Anduin Xue<\/strong>: The sole maintainer of AnduinOS, known as Anduin Xue, claims prior experience as a Microsoft engineer. (<a href=\"https:\/\/news.anduinos.com\/post\/2025\/5\/6\/story-behind-anduinos-a-letter-from-anduin?utm_source=chatgpt.com\">AnduinOS News<\/a>)<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>2. Community Engagement:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Open Source Commitment<\/strong>: The project is open-source under the GPL-3.0 license, with source code available on GitHub. (<a href=\"https:\/\/github.com\/Anduin2017\/AnduinOS?utm_source=chatgpt.com\">GitHub<\/a>)<\/li>\n\n\n\n<li><strong>Community Feedback<\/strong>: The developer has acknowledged community feedback and expressed a commitment to improving the project. (<a href=\"https:\/\/news.anduinos.com\/post\/2025\/5\/6\/story-behind-anduinos-a-letter-from-anduin?utm_source=chatgpt.com\">AnduinOS News<\/a>)<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">Summary<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Aspect<\/th><th>Findings<\/th><\/tr><\/thead><tbody><tr><td><strong>Domain Ownership<\/strong><\/td><td>Mixed: <code>.com<\/code> registered with PDR Ltd., <code>.cn<\/code> with Alibaba Cloud<\/td><\/tr><tr><td><strong>Hosting Providers<\/strong><\/td><td><code>.com<\/code> on Voxihost (Poland), <code>.cn<\/code> on Alibaba Cloud (China)<\/td><\/tr><tr><td><strong>TLS Certificates<\/strong><\/td><td>Issued by Let&#8217;s Encrypt for both domains<\/td><\/tr><tr><td><strong>ISO Verification<\/strong><\/td><td>No provided checksums or GPG signatures for ISO files<\/td><\/tr><tr><td><strong>APT Sources<\/strong><\/td><td>Requires manual configuration for optimal sources<\/td><\/tr><tr><td><strong>Developer Identity<\/strong><\/td><td>Sole maintainer claims prior Microsoft experience<\/td><\/tr><tr><td><strong>Community Feedback<\/strong><\/td><td>Open-source project with active community engagement<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">Recommendations<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>ISO Verification<\/strong>: Before installation, manually verify the ISO checksum against a trusted source. Consider building the ISO from source if feasible.<\/li>\n\n\n\n<li><strong>APT Configuration<\/strong>: Manually configure the best APT source for your region to ensure optimal package download speeds.<\/li>\n\n\n\n<li><strong>Caution with Sensitive Data<\/strong>: Avoid using AnduinOS for handling sensitive or critical data until further security audits are conducted.<\/li>\n\n\n\n<li><strong>Community Engagement<\/strong>: Engage with the AnduinOS community to stay informed about updates, security patches, and best practices.<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<p>I dug into it and here\u2019s a concise, actionable report: what I found, what\u2019s suspicious, and exactly what you can run locally to verify (commands + what to watch for). I did not find a smoking-gun backdoor, but there are enough oddities to treat AnduinOS as experimental\/untrusted until you verify more. Quick summary (bottom line) &#8230; <a title=\"AnduinOS\" class=\"read-more\" href=\"https:\/\/www.woodcentral.com\/-\/peter\/anduinos\/\" aria-label=\"Read more about AnduinOS\">Read more<\/a><\/p>\n","protected":false},"author":7,"featured_media":1326,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-1315","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/www.woodcentral.com\/-\/peter\/wp-json\/wp\/v2\/posts\/1315","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.woodcentral.com\/-\/peter\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.woodcentral.com\/-\/peter\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.woodcentral.com\/-\/peter\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/www.woodcentral.com\/-\/peter\/wp-json\/wp\/v2\/comments?post=1315"}],"version-history":[{"count":0,"href":"https:\/\/www.woodcentral.com\/-\/peter\/wp-json\/wp\/v2\/posts\/1315\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.woodcentral.com\/-\/peter\/wp-json\/wp\/v2\/media\/1326"}],"wp:attachment":[{"href":"https:\/\/www.woodcentral.com\/-\/peter\/wp-json\/wp\/v2\/media?parent=1315"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.woodcentral.com\/-\/peter\/wp-json\/wp\/v2\/categories?post=1315"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.woodcentral.com\/-\/peter\/wp-json\/wp\/v2\/tags?post=1315"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}